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Abstract 

We obtain the strongest separation between quantum and classical query complexity known 
to date — specifically, we define a black-box problem that requires exponentially many queries 
in the classical bounded-error case, but can be solved exactly in the quantum case with a 
single query (and a polynomial number of auxiliary operations). The problem is simple to 
define and the quantum algorithm solving it is also simple when described in terms of certain 
quantum Fourier transforms (QFTs) that have natural properties with respect to the algebraic 
structures of finite fields. These QFTs may be of independent interest, and we also investigate 
generalizations of them to noncommutative finite rings. 



1 Introduction 



Shor's algorithm [18| for factoring integers in polynomial-time on a quantum computer evolved 
from a series of quantum algorithms in the query model. This model appears to be useful for 
exploring the computational power of quantum information. In the query model, the input data 
is embodied in a black-box and the goal is to efficiently deduce some property of the black-box. 
Efficiency is measured in terms of the number of queries made to the black-box. A secondary 
measure of efficiency is also considered: the number of auxiliary operations that must be performed 
to generate the input to the queries and process the output. We will implicitly require that the 
number of auxiliary operations scales polynomially with the number of bits/qubits input to each 
query. 

The first instance of a quantum algorithm outperforming a classical algorithm in the query 
model was due to Deutsch where a quantum algorithm is able to solve a 2-bit query problem 
with one query (see also 0), whereas any classical algorithm for the problem requires two queries. 
(A k-bit query is one that takes k bits/qubits as input and returns k bits/qubits as output.) This 
was extended by Deutsch and Jozsa who defined an (n -|- l)-bit query problem that can be 
solved exactly with one query by a quantum algorithm whereas it requires r2(2"') queries to solve 
exactly classically. In spite of the apparent strength of this separation, the problem is only hard 
in the classical setting if the algorithm must be exact, meaning that no probability of error is 
tolerated. A bounded-error algorithm is one that is allowed to err, provided that for any black-box 
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instance its error probability is bounded below some constant smaller than 1/2. There is a classical 



algorithm that solves the problem in |11] with bounded error using only 0(1) queries. 

Subsequent work by Bernstein and Vazirani Q included an (n + l)-bit query problem that 
can be solved exactly with a quantum algorithm making one query, whereas any bounded-error 
classical algorithm for it requires n queries. They also showed that a recursively defined version of 
this problem results in a 0(n)-bit query problem whose exact quantum and bounded-error classical 
query complexities are 0(?7-logn) and n^('°s"'), respectively. This was improved by Simon |1£], who 
gives a fairly simple 0(n) vs. r2(2"/^) bounded-error quantum vs. bounded-error classical query 
separation. Brassard and H0yer |^ later showed that the problem considered by Simon can in fact 
be solved exactly in the quantum setting with 0{n) queries. 

When cast in the query model, Shor's factoring algorithm can be viewed as an extension of 
Simon's work — it is a quantum algorithm that solves a 3n-bit query problem with bounded-error 
with 0(1) quantum queries, while any classical algorithm for this problem requires 
queries (the lower bound is proved in |^]). 

What is the sharpest quantum vs. classical query complexity separation possible? For problems 
that can be solved exactly with a single quantum query, it appears that the maximum classical 
bounded-error query complexity previously-known for such a problem is n |^]. However, if the 
efficiency and performance of the quantum algorithm are relaxed to allow 0(1) queries and a 
bounded-error result then there is a problem whose classical bounded-error query complexity is 
exponential |l^, 

Presently, we show that the best of the above two scenarios is possible by exhibiting a 2n-bit 
query problem such that: 

• In the quantum setting, a single query suffices to solve the problem exactly. Moreover, the 
auxiliary operations are very simple; they consist of 0(n) Hadamard gates followed by 0{n?) 
classical gate operations that can occur after a measurement is made. 

• In the classical setting, f](2"/^) queries to the black-box are necessary to solve the problem 
with bounded error. 

The problem that achieves the above, which we call the hidden linear structure problem, is defined 
over the field GF{2'^) as follows. Assume elements of the finite field G'F(2") are identified with 
strings in the set {0,1}". Let vr be an arbitrary permutation on GF{2'^) and let r G GF(2"). 
Define the black-box B as computing the mapping from GF(2") x GF(2") to itself defined as 
i?(x, y) = (x, 7r(y -|- sx)). The goal of the query problem is to determine the value of s. 

It should be noted that this problem is related to, but different from, the hidden linear function 
problem considered by Boneh and Lipton Q. In our problem, the linear structure occurs over the 
field GF{2"') (and involves the multiplicative structure of GF(2")), whereas for the hidden linear 
function problem of Boneh and Lipton the linear structure is of certain periodic functions from the 
additive group Z'^ to some arbitrary range. This does not result in the quantum vs. classical query 
complexity separation that we obtain. 

It should also be noted that our hidden linear structure problem is a special case of the hidden 



subgroup problem defined by Brassard and Il0yer [g] and Mosca and Ekert [17]. (This relationship 
was pointed out to us by Hallgren [|l4|.) However, using standard techniques for the hidden subgroup 
problem results in a quantum algorithm solving the hidden linear structure problem with Q{n) 
queries, as opposed to a single query as required by our algorithm. 

Finally, one may also consider a variant of our hidden linear structure problem defined over a 
finite ring (such as Z2") rather than a field. However, the exponential classical query complexity 
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lower bound depends on the field structure and does not always hold for finite rings. For example, 
in the case of Z2" , the classical query complexity is n + 1 rather than exponential (this is explained 
in section |3|). 

Our single-query quantum algorithm for the hidden linear structure problem is based on an 
extension of the quantum Fourier transform (QFT) to finite fields whose behavior has natural 
properties with respect to the field structure. This QFT is motivated and defined in section 
where an efficient quantum algorithm for it is also given. The quantum algorithm and classical 
lower bound for the hidden linear structure problem are given in section ^. In section the QFT 
is generalized to rings of matrices over finite fields. 

Related work. Van Dam and Hallgren have independently proposed a definition for QFTs 
over finite fields that is similar to ours, and have applied these transforms in the context of black- 
box problems called the "shifted quadratic character problems". Their work first appeared as |^ 
and the preliminary version of this paper appeared as S. 



2 Quantum Fourier transforms for finite fields 

In this section we propose a definition for quantum Fourier transforms over finite fields, whose 
behavior has natural properties with respect to a given field's structure. We also show how to 
compute these transformations efficiently. 

We assume the reader is familiar with basic concepts regarding finite fields and computations 



over finite fields (see, for instance, g, 12, |16[). As usual, we let GF{q) denote the finite field 
having q = elements for some prime p. We assume that an irreducible polynomial f{Z) = 
— Yl]=o ^j^'' ^^^^ GF{p) is fixed, and that elements of GF{q) are represented as polynomials 
over GF{p) modulo / in the usual way. We will write x = (xq,.-- iXn-i) to denote the field 
element corresponding to xq + xiZ + • • • + Xn-iZ"'~^, and we identify x with the column vector 

X = [xq, . . . ,Xn^l]^- 

Definition 2.1 Let (p : GF{q) GF{p) be any nonzero linear mapping (viewing elements of 
GF[q) as n dimensional vectors over GF[p) as above). Then we define the quantum Fourier 
transform (QFT) over GF{q) relative to (f) (denoted Fq^fp) as follows. For each x £ GF{q), 

y(^GF{q) 

for uj = e^'^*/P, and let Fg^^j, be extended to arbitrary quantum states by linearity. 

A natural choice for cj) is the trace, since this gives a transform independent of the choice of /. 
However, we will not require this property, and so we allow (j) to be arbitrary. It should be noted 
that, for any prime q, the above Fourier transform is essentially identical in form to the conventional 
cyclic Fourier transform modulo q. 

An important property of these transformations is illustrated in Figure |l], where F denotes the 
QFT and the two-register gate labeled by s G GF{q) denotes the mapping |a;)|y) 1— > \x)\y + sx) . 
Let us refer to the latter gate as a controlled- A DDg gate, with its first input called the control 
register and its second input called the target register. The property illustrated in the figure will 
be referred to as the control/target inversion property. In words, conjugating a controlled-ADDg 
gate hy F F^ switches its control and target registers. In the special case of GF{2), F is the 
Hadamard gate and the two-qubit gate is the controlled-NOT gate (when s = 1). 
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Figure 1: The control/target inversion property. 



Theorem 1 For q = and any nonzero linear mapping (j) : GF(q) GF{p), Fg^^ is unitary and 
satisfies the control/target inversion property of Figure^. 

Proof: First let us show that F^ ^Fq^^\x) = \x) for every x e GF{q). We have 
1 

'71. 



y€GF{q) y&GF{q) zeGF{q) 

= E (- E ^^^'^"""^^ I \z) = \x} 

z&GF{q) y yeGF(q) 

following from the fact that 4'{w) must be uniformly distributed over GF{p) as w ranges over GF(q) 
(since (j) is linear and not identically zero). 

Next let us verify that the control/target inversion property holds, namely that for Ag and Bg 
defined by As\x)\y) = \x)\y + sx) and Bs\x)\y) = \x + sy)\y) we have 

iFl^'^F,^^)As{Fg,^^Fl^) = B.,. 

To prove this relation holds, let us define 

^ yeGF{q) 

for each x £ GF{q), and note that for defined by Pw\x) = \x + w) we have 



V ^ y<-GF{q) V ^ yeGFiq) 

Now, for each x,y £ GF[q) we have 

iPU®F,,<i>)MFq,^(^FU)\x)\y) = {fI^(^f,^^)As{^ ^'^^'"^N)IV'-.) 

z&GF{q) 
Y'^zeGFiq) 

= {Fl^®Fq^^)\^^ + ,y)\i^_y) 

= \x + sy)\y) 
= B,\x)\y) 



yi 
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Figure 2: Equivalent circuits for F„ 



as required. 



Next we describe quantum circuits for performing Fg^^ and analyze their complexity. Let C{p, e) 
denote the minimum size of a quantum circuit approximating the quantum Fourier transform 
modulo p to within accuracy e. Note that C{p,0) G O(p^logp) Q and, for e > 0, C{p,e) E 



0(logploglogp + logplog 1/e) when e £ il.{l/p) ||13| 



Theorem 2 For q = p^ and any nonzero linear mapping (p : GF(q) GF{p), Fq^^ can he 
performed with accuracy e by a quantum circuit of size 0(n^(logp)^) + nC{p,e/n). 

Thus, when p = 2 (or any constant), the QFT circuit size is O(n^) in the exact case. 

Proof of Theorem |2|: For any choice of (f> (linear and nonzero) , there exists a uniquely determined 
n X n matrix over GF{p) such that (pixy) = x'^ M0. We show how to efficiently obtain such a 
matrix explicitly for any given (p below. The quantum circuit performing F^^^ will depend on 
M^, and we note that must be invertible. 
We have 

F.A-) = ^^ E -^"^^%) = ^ E -^"^iM-,-) = ^ E -^^^'^^^'%)- 

y€GF{q) y(zGF{q) y(zGF{q) 

From this we conclude that 

Fq^^ = M-\Fp • • • ® Fp) = (Fp • • • Fp)Mj, 

where Fp denotes the usual quantum Fourier transform modulo p and, for A G {M^^ , MJ}, we 
identify A with the reversible operation that maps each \x) to \Ax). This relation is illustrated in 
Figure |2|. 

The upper bound of 0(n^(logp)^) + nC{p,e/n) now follows from the observation that in order 
to implement Fg^^ with accuracy e it suffices to implement each circuit for Fp with accuracy e/n 
(contributing nC{p,e/n) gates to the final circuit) and to implement the circuit for multiplication 
by either MJ or exactly. Let A e {M~^,MJ}. Multiphcation of an n-dimensional vector 

V hy A can be done with 0{n^) arithmetic operations in GF{p), each of which can be performed 
by a circuit of size 0((logp)^), resulting in a circuit of size 0(n^ (log p)^). In order to implement 
this transformation reversibly within the same size bound, it suffices to be able to invert the 
computation in this size bound. Inverting this computation is simply multiplication by A~^, which 
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can be performed in precisely the same size bound. (Note that the circuit itself does not need 
to invert A, but rather information about A and A^^ is pre-computed and "hard-coded" into the 
appropriate circuit for Fg,,/,.) 

Now let us return to the question of determining the matrix M,^ corresponding to a given (j). 
First, note that multiplication of field elements satisfies 



{Zo, ... , Zn-l) = (Xo, ... , Xn-l) ■ {Vo, • • • , Vn-l) 



where 



(1) 



for a certain sequence of n x n matrices Bq, . . . , Bn-i over GF{p). 

Let us explicitly construct a sequence Bq, . . . ,Bn-i that satisfies Eq. ||. To do this, it will be 
helpful to review the notion of Hankel matrices. An nx n Hankel matrix A is a matrix of the form 



A 



to 


tl 


t2 


• tn-1 


tl 


t2 


ts 


tn 


t2 


t3 




tn+1 


tn-1 


tn 


tn+1 ■ 


■ t2n- 



(2) 



That is, the "anti-diagonals" each contain only one element (or, equivalently, depends only 

on i + j). The Hankel matrix in Eq. ^ will be denoted Hankel(to, ^i, • • • , ^271-2)- 
Recall that we have 



n-l 



^ J^a,-^-'' (mod/(Z)), 

j=0 

where / is as described at the beginning of the current section. Write aj°^ = aj for j = 0, . . . ,n—l 
We will actually need numbers aj^^ (for j = 0, . . . ,n — 1, k = 0, . . . ,n — 2) such that 

n-l 

^n+k ^ ^afz^ (mod/(Z)). 
3=0 

These numbers are easy to obtain. Define an n x n matrix V as follows: 



V 





1 
1 





ao 
ai 
a2 



1 a. 



n—l 



Then 



(fc) (fc) 

^0 ! ■ ■ ■ ' "n-l 
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Finally, we can describe the matrices Bq, . . . , Bn~i- For each i = 0, . . . , n — 1, 

Bi = Hankel (^6o^i, 6i^i, ... , 6n-i,i, af \ af \ . . . , a,-""^^) • 

(Here, (5j.j is the Kronecker-(5 symbol.) A straightforward computation reveals that this choice for 
Bo, . . . , Bn-i satisfies Eq. |l|. It is also not hard to show that these matrices Bq, . . . , Bn-i are the 
only matrices satisfying Eq. ||, and that each Bi is necessarily invertible. 

Now, since (p : GF{q) — > GF[p) is linear and not identically zero, we must have (/>(x) = 
Yl^Zo for each x G GF{q) for some choice of Aq, . . . , A„_i G GF{p) (not all 0). At this point 
we see that (j){xy) = x'^ Mfj,y for = "^"Zq XiBi. Equivalently, we have 

(n—l n—1 \ 

Ao, . . . , A„_i, ^ Xiaf\. • • , ^ AjCj^""^^ . 
i=0 j=o / 

■ 

In the previous theorem, we have ignored the issue of circuit uniformity. However, it follows 
from the proof that each circuit for Fq^^ can be generated in polynomial time under a similar 
assumption on the circuits for performing Fp. 



3 The hidden Unear structure problem 

For a prime power q, define the hidden linear structure problem over GF{q) as follows. In the 
classical version, one is given a black-box that maps {x,y) G GF{q) x GF[q) to {x,7r{y + sx)), 
where vr is an arbitrary permutation on the elements of GF{q) and s £ GF{q). Analogously, in the 
quantum case, one is given a black-box performing the unitary transformation that maps |a;)|y) 
(x,y G GF{q)) to \x)\TT{y + sx)). The goal is to determine the value of s. 

In this section, we give a sharp quantum vs. classical query complexity separation for the 
hidden linear structure problem. First, in the classical case, ^{yfq) queries are necessary to solve 
this problem, even with bounded error. Second, in the quantum case, a single quantum query is 
sufficient to solve the hidden linear structure problem exactly, provided that one can compute the 
QFTs Fq^^ and F^^. In the case where g = 2", the QFT can be performed exactly with only 
O(n^) basic operations (Hadamard gates and controlled-NOT gates). The result is a single-query 
exact quantum algorithm to extract s with 0{n'^) auxiliary operations. Moreover, in this case the 
algorithm can be streamlined so as to consist of 0{n) Hadamard gates, the single query, and 0{v?) 
classical post-processing after a measurement is made. In the case where q is an n-bit prime, our 
results are weaker, since the best procedure that we are aware for performing the QFT exactly in 
that case is O(p^logp) = 0(724"). 

It should be noted that if the finite fields are relaxed to finite rings then, for the analogous 
hidden linear structure problem, the quantum vs. classical classical query complexity separation 
may be much weaker. This is because the classical query complexity of the problem can become 
much smaller. For example, for the ring , there is a simple classical procedure solving the hidden 
linear structure problem with only n + 1 queries. It begins by querying (0, 0) and (2"^^, 0), yielding 
7r(0) and 7r(s2"~^) respectively. If 7r(0) = 7r(s2"~-^) then s is even; otherwise s is odd. Thus, two 
queries reduce the number of possibilities for s by a factor of 2. If s is even then the next query 
is (2"'~^,0), yielding 7r(s2"~-^), which determines whether s mod 4 is or 2. If s is odd then the 
next query is (2"~^, 2" — 2"~^), yielding 7r(2" — 2"~^ + s2"'~^), which determines whether s mod 4 
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is 1 or 3. This process can be continued so as to deduce s after n + 1 queries. For this reason, 
our attention is focused on the hidden hnear structure problem over fields (though we do consider 
QFTs for some noncommutative rings in the next section). 
We proceed with the classical lower bound. 

Theorem 3 ^{^/q) queries are necessary to solve the hidden linear structure problem over GF{q) 
within error probability ^ . 



Proof: The lower bound proof is similar to that for Simon's problem ||19[. First, by a game- 
theoretic argument [^], it suffices to consider deterministic algorithms where the input data, em- 
bodied by the values of s and vr, is probabilistic. Set both s G GF{q) and vr (a permutation on 
GF{q)) randomly, according to the uniform distribution. Consider the information obtained about 
s after k queries ,{xk,yk) (without loss of generality, the queries are all distinct). If, 

for some i j, the outputs of the i^^ and j^^ queries collide in that 7r(yi + sxi) = ^{yj + sxj), then 
yi + sxi = yj + sxj , which implies that the value of r can be determined as 

s = (3) 

(note that xj — Xi ^ 0, since this would imply that {xi,yi) = {xj, yj))- On the other hand, if there 
are no collisions among the outputs of all k queries then all that can be deduced about s is that 

s / (4) 

for all 1 < i < j < A;. This leaves q — k{k — 1) /2 values for s, which are equally likely by symmetry. 

Now, consider the probability of a collision occurring at the A;**^ query given that no collisions 
have occurred in the previous k — 1 queries. After the first k — 1 queries, there remain at least 
q — {k — l){k — 2) /2 > q — k'^/2 possible values of s, equally likely by symmetry. Of these values, at 
most k — 1 induce a collision between the k^^ query and one of the k — 1 previous queries. Therefore, 
the probability of a collision occurring at the k^^ query is at most 

(5) 



q-k^/2 - 2q-k^' 

It follows that the probability of a collision occurring at all during the first I queries is bounded 
above by 

^-^ 2k P 

^2q-k^- 2^^' 
fc=i ^ ^ 

If this probability is to be greater than or equal to 1/2 then P /{2q — P) > 1/2, which implies that 



1>V^^^{Vq)- (7) 



Next, we describe the quantum algorithm. 

Theorem 4 For a given field GF{q), if Fq^^ and F^ ^ can be performed for some nonzero linear 
mapping (p then a single query is sufficient to solve the hidden linear structure problem exactly. 
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Proof: The quantum procedure is to initialize the state of two G'F(g)-valued registers to |0)|1) 
(where and 1 are respectively the additive and multiplicative identities of the field) and perform 
the following operations (where F = Fg^^): 

1. Apply F (g) Ft. 

2. Query the black box. 

3. Apply Ft 0F. 

Then the state of the first register is measured. 

Tracing through the evolution of the state of the registers during the execution of the above 
algorithm, the state after each step is: 

1. (F|0))(Ft|l)) 

2. (F|.))(C/.Ft|l)) 

3. I s) (Ft/, Ft 1 1)) 

The transformation from step 1 to step 2 follows from the control/target inversion property, as 
shown in figure |l[ It is clear that the output of the algorithm is s. ■ 

As mentioned previously, the transformation F2"^^ for any (p is particularly simple, and yields 
the following algorithm. 

1. Initialize the state of two GF(2")-valued registers to the (classical) state |O)|M0l). 

2. Apply a Hadamard transform to each qubit of each register. 

3. Query the black-box. 

4. Apply a Hadamard transform to each qubit of each register. 

5. Measure the first register, yielding an n-bit string z. 

6. Classically, compute {MJ)~^z. 

The result will be s. 

4 Extension to Rings 

It is natural to generalize the concept of controlled addition as we have seen it to rings in general. 
So, one might ask whether, for all rings, there exist operations corresponding to "quantum Fourier 
transforms" in the sense that they perform control/target inversion on controlled- addition gates 
over that ring. While we do not know the answer to this question, we will show that for any 
commutative ring R where such a Fourier transform exists, it is possible to define quantum Fourier 
transforms for the noncommutative ring of mxm matrices over R. 
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Let us introduce some notation. In this section, all matrices are understood to be square 
matrices. Given an array of quantum registers {Eij} over a commutative ring R, we associate 
the state \xij) with the register Eij. We also identify the mxm matrix X given by 



X = 



with the product state 

m m 

\X) \Xij) = \xii) 1X12) ■ • • \xim) \x2l) ■ ■ ■ \Xmm) 

i=l j=l 

of the states of the registers. We then make the following definition. 

Definition 4.1 Let Fr be a quantum Fourier transform over a commutative ring R. Then we 
define the quantum Fourier transform over i?"*^"* by the following mapping for each matrix X = 

m rn 

FR,m--\X) ^(^(^FR\xji). 

i=l j=l 

That is, the quantum Fourier transform of \X) is performed by applying the Fourier transform Fr 
independently to all the quantum registers used to represent X, and transposing those registers (or 
their states) within the register array. 

Multiplication in matrix rings over R will, in general, be non-commutative. Therefore, in 
working with matrices, we must distinguish between left and right multiplication when defining 
the controlled addition operators. We define left-controlled addition with parameter S (denoted by 
Cs*) and right-controlled addition with parameter S (denoted by C*5) by the following action on 
basis states: 

Cs* : \X) \Y) ^ \X) \Y + SX) C,s : \X) \Y) ^ \X) \Y + XS) 

As well, we introduce left and right controlled addition operators with the roles of the target and 
control registers reversed: 

Ds, : \X)\Y) ^ \X + SY)\Y) D,s : \X)\Y) ^ \X + YS)\Y) 

As the order of multiplication becomes important for rings in general, we find it reasonable to 
make the following expansion of the definition of control/target inversion: a gate G performs 
control/target inversion on controlled addition gates over a given ring if the following equality 
holds: 

That is, in addition to the roles of target and control being interchanged, the manner of multipli- 
cation (left or right) is switched. In the case where the ring is commutative, this reduces to the 



Xn Xi2 ... Xim 
X21 X22 ■■■ X2m 

X-ml Xfn2 ■ ■ ■ Xmm 
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definition given previously (see Figure [T|) . We will now show that the quantum Fourier transform 
-Pi?,m defined above has this property for mxm matrices over R, when Fji is defined and has the 
control/target inversion property on R. 

For input matrices X and Y over R, we denote 

mm mm 

l^)=(2)(2)k..) \Y)=lS)®\y^3) 

i=l j=l i=l j=l 

Let Eij represent the register which stores the state and Fij represent the register which 

stores the state \yij). Define the operator as a controlled- ADD^ gate which operates on a 

control register En, and a target register F^j, and B^^j^{s) as a controlled- ADD^ gate which operates 
on a control register Fik and a target register Eij. Then we can decompose Cs* as the following 
product of operators: 

m m m 

i=i j=i k=i 

This can be easily verified by testing the effect of this product on the ij'-th target register, where we 
see that the effect (for basis states) is to add the term XikSkj for each 1 < k < m. Control/target 
inversion is expressed for these gates in the following manner: 

{Fn^'^"'\FR^"'')Af;{skj){FR^"'' (^Fr^^"'") = Bf;{sk,). 

Here, the quantum Fourier transforms cancel one another out on all registers except the ij-th target 
register and the i/c-th control register, where control/target inversion occurs. 

Using this decomposition, and applying quantum Fourier transforms to the individual registers 
before and after this product of gates in the same manner as above, we obtain: 

(Fh^^'"' ® Fr^-')CUFr^-' ® F^t^-^) 

m m m m m m m m m 

= n n n ^^(-^.) = n n n (^^.) = n n n = ^s^* 

i=lj=lk=l i=lk=lj=l i=lj=lk=l 

That is, the roles of the control and target registers are reversed, and although the manner of 
multiplication is unchanged, the parameter matrix S is transposed. 

Note that the quantum Fourier transform FR^m on mxm matrices over R can be decomposed 
into an application of Fr on each element of the matrix, and transposing the matrix (denoted by 
the operator T^), in any order: 



FR,m = {Fr^"" )Tm = Tm{F, 



R 



Clearly, TmTm = Im (the identity mxm matrix). Then, we can verify that FR^^n performs con- 
trol/target inversion on controlled addition gates over R^^"^: 
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= (T^®r„)i?5TjxT)|yT) 
= |x + y5)|y) 

= D,s\X)\Y), 

which is what we wished to show. 

As for extending the hidden hnear structure problem to arbitrary rings, it is not clear for 
which rings R an exponential separation can be achieved. The ability to perform control/target 
inversion for this problem when R = GF(p^)"^^^ (for example) indicates that the problem can 
be solved in one query in the quantum case, but we do not have strong classical lower bounds for 
this case. However, there do exist rings, such as GF{p'^)x GF^p"^), where exponential separation 
can be shown, building on the proof for GF{p'^); thus, the strong separation in the case of finite 
fields is not an isolated case. Considering the proofs of the classical upper bound for Zpn and lower 
bound for GF{p'^), it seems plausible that rings exhibiting a strong separation will have very few 
zero divisors, or little additive structure among the zero divisors. Both of these statements hold for 
GF(p^'')x GF{p^''), which has a ratio of 0{l/p'^) zero divisors among its elements, and which only 
has two ideals which have only a trivial intersection. 
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